Analysis
-
max time kernel
46s -
max time network
22s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06/06/2023, 19:22
Static task
static1
Behavioral task
behavioral1
Sample
bebra.exe
Resource
win10-20230220-en
windows10-1703-x64
12 signatures
60 seconds
Behavioral task
behavioral2
Sample
bebra.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
60 seconds
General
-
Target
bebra.exe
-
Size
9.9MB
-
MD5
fd59bd3d4746805751cfe6a936dd2845
-
SHA1
5a50900e19a773e8253f9c0217671d66e1821139
-
SHA256
e179897585a4cfcc0daccddacfdde085a4ce363706aa858707bd698ba42dc79e
-
SHA512
2faa999c5b298d03f0c2a43799201fc1329c555a3363a95459cb27550f363b2690107ec1c20551cc275bdcc8dd21a733a78ac7152771903600d44b3aac9facf4
-
SSDEEP
196608:ndIRGWlhI6gUQWZtCjT0u7+gu4WO6d3rjX57QfOx8k2NwzIXK+JVsWj7X:nGMWlhI6g/WZHa+gAd3rjJEfOx8R/X/L
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bebra.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bebra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bebra.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bebra.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2388 bebra.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4208 taskmgr.exe Token: SeSystemProfilePrivilege 4208 taskmgr.exe Token: SeCreateGlobalPrivilege 4208 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2388 wrote to memory of 4580 2388 bebra.exe 67 PID 2388 wrote to memory of 4580 2388 bebra.exe 67 PID 4580 wrote to memory of 4984 4580 cmd.exe 69 PID 4580 wrote to memory of 4984 4580 cmd.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\bebra.exe"C:\Users\Admin\AppData\Local\Temp\bebra.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\bebra.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:4984
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4208